Download Guidelines at a Glance - American Bankers Association

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
Document related concepts

Computer and network surveillance wikipedia , lookup

Security-focused operating system wikipedia , lookup

Computer security wikipedia , lookup

Medical privacy wikipedia , lookup

IT risk management wikipedia , lookup

Cyber-security regulation wikipedia , lookup

Information security wikipedia , lookup

Social engineering (security) wikipedia , lookup

Transcript 
About The Toolbox
Guidelines at a Glance:
Safeguarding Customer Information
Section 501(b) of GLBA requires federal banking
agencies to establish appropriate standards for the
administrative, technical, and physical safeguards for
customers’ “nonpublic personal information.” To
accomplish this congressional mandate, each agency
has issued guidelines that require each bank to
establish an information security program. These
guidelines are separate and apart from the privacy
regulations and notice requirements contained in
Section 501 of GLBA.
A bank’s information security program must be designed to ensure the security and
confidentiality of customer information, protect against any anticipated threats or hazards
to the security or integrity of such information, and protect against unauthorized access to
or use of such information that would result in substantial harm or inconvenience to any
customer.
Because the guidelines closely mirror existing agency guidance, in many instances
financial institutions will already have information security programs that identify and
control risks to information and information systems. While the guidelines cover only
“customer information” as that term is defined, the agencies encourage institutions to use
the approach provided by the guidelines to protect all customer and bank records.
The agencies have promulgated a set of uniform examination procedures that we have
incorporated intended to assist examiners in assessing the level of compliance with the
security guidelines that we have incorporated in “Guidelines at a Glance: Safeguarding
Customer Information.” We have used these guidelines as a roadmap throughout this
toolbox as a reference guide to the key questions and considerations confronting your
institution as you refine your security program. The guidelines allow each institution the
discretion to design an information security program that suits its particular size and
complexity and the nature and scope of its activities. At the same time, each institution
must demonstrate that its security program addresses the following:
AMERICAN BANKERS ASSOCIATION
Role of the Board of Directors. The board of directors or an appropriate committee of
the board is responsible for approving the written information security program and
overseeing the program’s development, implementation, and maintenance, including
assigning responsibility for its implementation. At least once a year, management should
provide a status report to the board or the appropriate committee.
Identify and Assess Risk. The institution should first assess risks to its customer
information. An institution’s risk assessment should identify reasonably foreseeable
internal and external threats that could result in unauthorized disclosure, misuse,
alteration, or destruction of customer information or customer information systems.
Additionally, the risk assessment should consider the likelihood and potential damage of
these threats, taking into consideration the sensitivity of customer information. Finally,
the assessment should consider the sufficiency of existing policies, procedures, customer
information systems, and other arrangements intended to control the risks identified.
Manage and Control of Risk. The institution should design an information security
program to control the identified risks, commensurate with the sensitivity of the
information and the complexity and scope of the bank’s activities. The guidelines
highlight eight security measures that institutions should consider and adopt if
appropriate.
The information security program also should include training for staff and regular
testing of the key controls, systems, and procedures. The nature and frequency of the tests
should be determined by the institution’s risk assessment. To ensure objectivity, tests
should be conducted or reviewed by third parties or staff who are independent of those
who develop or maintain the security programs.
Oversee Service Provider Arrangements. Institutions also have an obligation to oversee
their service providers. Institutions that use service providers should exercise appropriate
due diligence in selecting them, including conducting a review of the measures taken by
the service providers to protect customer information. The contract between the
institution and the service provider must require the provider to implement appropriate
measures designed to meet the objectives of the guidelines. Wherever indicated by an
institution’s risk assessment, the institution should monitor its service providers to
confirm they are implementing the agreed-upon security measures. As part of this
monitoring, an institution should review audits, summaries of test results, or other
equivalent evaluations of its service providers.
Adjust the Program. Risks to customer information change over time with changes in
technology, the sensitivity of customer information, internal or external threats to
information, and the institution’s own business arrangements, such as mergers and
acquisitions, alliances and joint ventures, outsourcing arrangements, and changes to
customer information systems. Therefore, institutions should monitor, evaluate, and
adjust, as appropriate, their information security program. The regulatory agencies
AMERICAN BANKERS ASSOCIATION
2
expects institutions to make the appropriate changes to their information security
programs before any changes are made to their customer information systems.
Implement the Guidelines. The guidelines were effective on July 1, 2001. However,
there is a two-year grandfathering provision for service provider contracts. Existing
service provider contracts (namely, contracts entered into until March 5, 2001) do not
have to be renegotiated to comply with the guidelines until July 1, 2003.
The regulatory agencies have adopted uniform examination procedures intended to assist
examiners in assessing the level of compliance with the guidelines. These procedures are
designed to apply to a wide range of banks, and as such examiners have been instructed
that certain procedures may not apply to smaller or less complex institutions. Institutions
should be prepared to detail for examiners the reasons why a particular procedure is not
applicable, based on the institutions size, complexity, or risk assessment.
Guidelines At A Glance:
Safeguarding Customer Information
Key Questions or Considerations
I.
Determining The Involvement Of The Board.
A.
Has the board or its designated committee approved a written Corporate Information Security
Program that meets the requirements of the Information Security Guidelines (guidelines)?
B.
If the board has assigned responsibility for program implementation and review of
management reports to an individual or committee, do they possess the necessary
knowledge, expertise and authority to perform the task?
C.
Does the program contain the required elements?
1. If more than one information security program exists for the institution, are the programs
coordinated across organizational units?
D.
Determine the usefulness of reports from management to the board (or its designated
committee). Does the report adequately describe the overall status of the program, material
risk issues, risk assessment, risk management and control decisions, service provider
oversight, results of testing, security breaches and management's response, and
recommendations for program changes?
1. How often does the board (or its designated committee) review reports?
E.
Overall, do management and the board (or its designated committee) adequately oversee the
institution's information security program?
AMERICAN BANKERS ASSOCIATION
3
II.
Evaluating The Risk Assessment Process.
A.
Review the risk assessment program.
1. How does the institution assess risk to its customer information systems and non-public
customer information?
2. Has the institution evaluated the risk to the entire customer information system?
3. Has the institution used personnel with sufficient expertise to assess the risks to its systems
and customer information on an enterprise-wide basis?
4. Is the risk assessment part of a formal risk assessment process with timelines and
milestones? If not, how will management ensure timely completion?
5. Does the institution have a process for identifying and ranking its information assets (data
and system components) according to sensitivity? How does it use this process in its risk
assessment?
B.
Assess adequacy and effectiveness of risk assessment process.
1. Does the institution identify all reasonably foreseeable internal and external threats that could
result in unauthorized disclosure, misuse, alteration, or destruction of customer information or
customer information systems?
2. Does the institution support its estimate of the potential damage posed by various threats?
3. Review the institution’s existing controls to mitigate risks. Does the institution’s analysis
consider the current administrative, physical, and technical safeguards that prevent or
mitigate potential damage?
4. Does the institution use test results to support its assessment of the adequacy and
effectiveness of those controls?
C.
Does the institution identify and prioritize its risk exposure, decide on the risks it must
mitigate, and create a mitigation strategy? Is the decision to accept risks documented and
reported to the appropriate management levels?
1. Does the institution promptly act to mitigate risks that pose the immediate possibility of
material loss?
2. How does the institution demonstrate that the mitigation strategy was reviewed by
appropriate officials?
3. Does the risk assessment provide guidance for the nature and extent of testing?
4. Does the risk assessment include vendor oversight requirements?
AMERICAN BANKERS ASSOCIATION
4
III.
Evaluating The Adequacy Of The Program To Manage And Control Risk.
A.
Review internal controls and policies. Has the institution documented or otherwise
demonstrated, at a minimum, that it considered the following controls, and adopted those it
considered appropriate?
1. Access controls, such as controls to authenticate and permit access to customer information
systems to authorized persons only.
2. Access restrictions at physical locations, such as buildings and computer facilities, to permit
access to authorized persons only.
3. Encryption of electronically transmitted and stored customer data.
4. Procedures to ensure that systems modifications are consistent with the approved security
program.
5. Dual control procedures, segregation of duties, and employee background checks.
6. Monitoring systems and procedures to detect actual and attempted attacks on or intrusions
into customer information systems.
7. Response programs specifying actions to be taken by specific individuals when the institution
suspects unauthorized access (i.e., incident response).
8. Measures to protect against destruction, loss, or damage of information from potential
environmental hazards, such as fire and water damage or technological failures.
B.
Is staff adequately trained to implement the security program?
1. Obtain from management a listing of the training provided to all users of the institution’s
system.
C.
Determine whether key controls, systems, and procedures of the information security
program are regularly tested by independent third parties or qualified independent staff in
accordance with the risk assessment.
1. Assess whether the nature and frequency of testing is consistent with the risk assessment.
2. Assess whether tests are conducted or reviewed by independent third parties or qualified
staff independent of those that develop or maintain the security program.
3. Assess whether management reviews test results promptly. Assess whether management
takes appropriate steps to address adverse test results.
AMERICAN BANKERS ASSOCIATION
5
IV.
Assessing The Measures Taken To Oversee Service Providers.
A.
Determine whether the institution exercises due diligence in selecting service providers.
B.
Determine what information is supplied to service providers.
C.
Obtain a copy of the contract(s) with the service provider(s). Determine whether contracts
require service providers to implement appropriate measures to meet the objectives of the
guidelines.
D.
If the institution’s risk assessment requires monitoring a service provider, then perform the
following steps for each applicable service provider.
1. Determine whether the service provider contract provides for sufficient reporting from the
service provider to allow the institution to appropriately evaluate the service provider’s
performance and security, both in ongoing operations and when malicious activity is
suspected or known.
2. Determine whether the institution’s actions adequately control information supplied to service
providers, ensuring that the information is managed and secured properly.
3. Review financial condition of service provider.
V.
Determining Whether An Effective Process Exists To Adjust Program.
A.
Does the institution have an effective process to adjust the information security program as
needed? Is the appropriate person assigned responsibility for adjusting the information
security program?
B.
Review procedures that are in place to ensure that when the institution makes changes in
technology and its business function the requirements of the guidelines are also considered.
These changes can include:
1) Technology changes (e.g., software patches, new attack technologies and methodologies).
2) Sensitivity of information.
3) Threats (both nature and extent).
4) Upcoming changes to institution’s business arrangements (e.g., mergers and acquisitions,
alliances and joint ventures, outsourcing arrangements).
5) Upcoming changes to customer information systems (e.g., new configurations or
connectivity, new software).
C.
Determine whether appropriate expertise is applied to evaluate whether changes to the
information security program are necessary.
D.
Determine whether appropriate controls exist to ensure changes to the information security
program are properly implemented in a timely, risk-based manner.
AMERICAN BANKERS ASSOCIATION
6
Related documents
Customer markets
Customer markets
Slayt 1
Slayt 1
A. Explain the nature of marketing plans. B. Explain the role
A. Explain the nature of marketing plans. B. Explain the role
E-Commerce and Bank Security
E-Commerce and Bank Security
MKT 450 Group Project
MKT 450 Group Project
A. Explain the nature of marketing plans. B. Explain the role of
A. Explain the nature of marketing plans. B. Explain the role of
SECURITY IN THE BALTIC SEA REGION 1. Lecture
SECURITY IN THE BALTIC SEA REGION 1. Lecture
The Great Smoky Mountains - St.Mary's Parish Annapolis
The Great Smoky Mountains - St.Mary's Parish Annapolis
file - Conservation Gateway
file - Conservation Gateway
PIIGS Bankers – The Real Big Bad Wolves How the bankers huffed
PIIGS Bankers – The Real Big Bad Wolves How the bankers huffed